As disasters become more and more commonplace across the United States, strong cybersecurity is critical to keeping response systems operating smoothly. Organizations are particularly susceptible to cyber attacks during natural disasters, which could limit their ability to support the communities they aim to serve.
The U.S. Chamber of Commerce Foundation’s 12th Annual Building Resilience Conference aimed to address building resilience from all angles, including strengthening cybersecurity. In conversation with Christopher Roberti, Senior Vice President for Cyber, Space, and National Security Policy with the U.S. Chamber of Commerce, Eric Goldstein, Executive Assistant Director of Cyber Security at CISA shared his insights on how bolstering cybersecurity and public-private partnerships can help build more resilient communities.
Building Resilience in the Cyber Realm Supports Critical Infrastructure
Goldstein highlighted that at CISA, cybersecurity isn’t the end in itself, but a means to an end.
“The end that we’re seeking at CISA, as part of our broader collaborative model, is to ensure the functional resilience of critical infrastructure and essential systems under all conditions … [and] a variety of adverse events,” he explained.
To achieve this, CISA collaborates with private sector entities, government agencies, and partners worldwide.
“Our job is simple,” he added. “It’s to understand those risks, those threats, those vulnerabilities that can cause disruption to these critical services and take steps in partnership with the owners and operators of critical infrastructure and our partners in government in the United States and around the world.”
To reduce the likelihood of adverse events occurring, Goldstein noted that CISA takes precautionary measures, including “[providing] information that is actionable, tangible, and is usable to owners and operators of critical infrastructure to take steps to assure their security and resilience.”
With additional resources such as technical tools, assessments, and identifiable sources, organizations have a better chance of addressing potential harm before it occurs.
However, Goldstein added, “This only works if we do it in collaboration because no single organization has the levers, authorities, or resources to do it alone.”
Government Entities and Larger Organizations Must Shoulder Greater Responsibility
According to Goldstein, the publication of the National Cybersecurity Strategy marks an important strategic shift in the balance of roles and responsibilities: “The burden [and] accountability for cybersecurity and resilience has to be with those who are able to bear it.”
For example, he elaborated, local businesses, schools, hospitals, and other entities cannot be expected to stand alone in protecting against hazards.
“We need to … ensure that those partners in the private sector, particularly large technology companies, have the ability to enable security and technology resilience at scale,” Goldstein explained. “That’s the way that we can really help those smaller organizations that … are most at risk [and] also are such critical dependencies.”
To help with this, CISA’s Joint Cyber Security Defense Collaborative (JCDC) brings together large organizations across the U.S. in various sectors to find ways to enable shared security.
“[This] helps those smaller organizations rely more on government and … their providers, so they have a higher likelihood of maintaining the continuity of their critical services during an adverse event,” said Goldstein.
He added that this type of initiative — a “voluntary, collaborative” one that is mutually beneficial — can help maximize the resilience of organizations of all sizes, and that of our country as a whole.
Organizations Are Encouraged to Use CISA’s Resources for Cybersecurity
Non-governmental organizations (NGOs) have been particularly impacted and targeted by cyber attacks. To help mitigate this, Goldstein encourages NGOs to utilize CISA and its resources.
“In March, we released the second version of our Cybersecurity Performance Goals (CPGs) … [which are] designed to provide a simple, easy-to-use list of outcome-based security measures,” he said. “We also offer free assessments at CISA to help organizations understand on a recurring basis what an adversary sees of their technology and how they could be exploited.”
By bridging this gap between entities, Goldstein believes NGOs are more likely to stay resilient against attacks.
Addressing NGOs directly, he concluded: “This is an area where we can work together to make sure that your scarce dollars are being invested toward those security measures that reduce the most risk.”
